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y3 PRELIMINARY AMENDMENT 

BoxPCT 

JL Assistant Commissioner for Patents 
J{ Washington, D. C. 20231 



Dear Sir: 



In connection with the above-identified application filed herewith, please enter the 
following preliminary amendment, which is based on the Article 34.2 amendments, based on 
claims amended in prosecution of the international application and published in the International 
Preliminary Examination Report, a copy of which is enclosed herewith (marked-up copy 
attached): 



IN THE ABSTRACT 
Insert the attached Abstract page into the application as the last page thereof. 



IN THE SPECIFICATION 
A courtesy copy of the present specification is enclosed herewith. However, the 
World Intellectual Property Office (WIPO) copy should be relied upon if it is already in the U.S. 
Patent Office. 

IN THE CLAIMS 
Please amend the following claims: 

3. (Amended) Method according to claim 1, such that the security parameter k is 
a small integer, especially smaller than 100. 

4. (Amended) Method according to claim 1, such that the size of the modulus n is 
greater than several hundreds of bits. 

5. (Amended) Method according to claim 1, such that the f prime factors p p p 2 , 
. . . p f have a size close to the size of the modulus n divided by the number f of factors. 

6« (Amended) Method according to claim 1 such that, among the f prime factors 
Pi,> Pv Pf 

- a number e of prime factors congruent to 1 modulo 4 is chosen, e possibly being 
zero (should e be zero, the modulus n will hereinafter be called a basic modulus, should e 
> 0, the modulus n will hereinafter be called a combined modulus), 

- the f-e other prime factors are chosen to be congruent to 3 modulo 4, f-e being at 
least equal to 2. 



9. (Amended) Method according to claim 7 such that, to produce the e prime 
factors congruent to 1 modulo 4, each prime factor candidate p is evaluated, from p f _ e to 
p f , in being subjected to the following two successive tests: 

(1) First test 

- the Legendre symbol is computed for each base number & ( from g x to g m? 
with respect to the candidate prime factor p, 

• if the Legendre symbol is equal to -1, the candidate p is rejected, 

• if the Legendre symbol is equal to +1, the evaluation of the candidate p is 
continued in passing to the following base number and then, when the last base 
number has been taken into account, there is a passage to the second test. 

(2) Second test 

- an integer number t is computed such that p-1 is divisible by 2\ but not by 
2 t+1 , then 

- an integer s is computed such that s = (p-l+2 t )/2 t+1 . 

- the key (s, p) is applied to each public value G t to obtain a result r 
r = G { s mod p 

• if r is equal to & or - g i3 the second test is continued in passing to the 
following public value G i+1 . 

• if r is different from gj or - g i? a factor u is computed in applying the 
following algorithm: 

• • the algorithm consists of the repetition of the following sequence specified 
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for an index ii ranging from 1 to t-2: 

• • the algorithm implements two variables: w initialized by r and jj = 2" 
assuming values ranging from 2 to 2 t_2 , as well a number b obtained by application of 
the key {(p-l)/2 t , p) to a non-quadratic residue of CG(p), then the following steps 1 

and 2 are iterated: 

* • ♦ Step 1 : wVQ (mod p) is computed, 

• • • Step 2: the result is raised to the power of 2 t ~ 11 ' 1 . 

• • • • If +1 is obtained, the second test is continued in passing to 
the following public value G i+1) 

• • • • If -1 is obtained, jj = T is computed and then w is replaced 
by w.b" (mod p), then the algorithm is continued for the following value 
having an index ii. 

• • at the end of the algorithm, the value in the variable jj is used to compute an 
integer u by the relation jj = 2 t u and then the expression t-u is computed. Two 
cases arise: 

... if t-u < k, the candidate p is rejected 

• • • if t-u > k, the evaluation of the candidate p is continued in 
continuing the second test and in passing to the following public value G i+lj the 
candidate p is accepted as a prime factor congruent to 1 modulo 4 if, at the end 
of the second test, for all the m public values G i? it has not been rejected. 
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10. (Amended) Protocol applying the method according to claim 1, said protocol 
being designed to prove the following to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of m pairs of private values Q 1? Q 2 , ... Q m and public values Gi> G 2 ? • • • G m , or 
parameters derived from these values; 

said modulus and said values being linked by relations of the following type: 
G { . Qj v s 1 . mod n or Gj = Q^mod n . 

said public value G { being the square g 2 of the base number & smaller than the f prime 
factors p 15 p 2 , ... p f , 

said protocol implementing, in the following steps, an entity called a witness having f 
prime factors p { and/or parameters of the Chinese remainders of the prime factors and/ or of 
the public modulus n and/or the m private values Q { and/or f.m components (Q is j = Q, 
mod pj) of the private values Q t and of the public exponent v; 

- the witness computes commitments R in the ring of integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 

where r is a random factor such that 0 < r < n, 

• or 

• • by performing operations of the type: 
RjEei-^ mod ^ 
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where r,is a random value associated with the prime number p, such that 0 < r,< p i5 each r, 
belonging to a collection of random factors {r t , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers 
d, hereinafter called elementary challenges; the witness, on the basis of each challenge d, 
computing a response D, 

• either by performing operations of the type: 
Dsr.Q 1 dl .Q 2 da . ...Q m dra modn 

• or 

• • by performing operations of the type: 
D-r i .Q i / 1 .Q ij2 d2 ....Q i , m dm modp i 

• • and then by applying the Chinese remainder method. 

said method being such that there are as many responses D as there are challenges d as 
there are commitments R, each group of numbers R, d, D forming a triplet referenced {R, 
d,D}. 

Please add the following new claims: 

3. (New) Method according to claim 2, such that the security parameter k is a 
small integer, especially smaller than 100. 

9. (New) Method according to claim 8 such that, to produce the e prime factors 
congruent to 1 modulo 4, each prime factor candidate p is evaluated, from p f . e to p f , in 



being subjected to the following two successive tests: 
(1) First test 

- the Legendre symbol is computed for each base number g, t from & to g m , 
with respect to the candidate prime factor p, 

• if the Legendre symbol is equal to -1, the candidate p is rejected, 

• if the Legendre symbol is equal to +1, the evaluation of the candidate p is 
continued in passing to the following base number and then, when the last base 
number has been taken into account, there is a passage to the second test. 

(2) Second test 

- an integer number t is computed such that p-1 is divisible by 2\ but not by 
T\ then 

- an integer s is computed such that s = (p-l+2 t )/2 m . 

- the key (s, p) is applied to each public value G; to obtain a result r 
r = Gj s mod p 

• if r is equal to & or - g i? the second test is continued in passing to the 
following public value G i+r 

• if r is different from & or - g i? a factor u is computed in applying the 
following algorithm: 

• • the algorithm consists of the repetition of the following sequence specified 
for an index ii ranging from 1 to t-2: 

• • the algorithm implements two variables: w initialized by r and jj = 2 U 
assuming values ranging from 2 to 2 t_2 , as well a number b obtained by application of 
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the key <(p-l)/2 l , p> to a non-quadratic residue of CG(p), then the following steps 1 
and 2 are iterated: 

• • • Step 1: w 2 /Gj(mod p) is computed, 

• • • Step 2: the result is raised to the power of 2'" 1 . 

• « • • If +1 is obtained, the second test is continued in passing to 
the following public value G i+1; 

. ... If -1 is obtained, jj = T is computed and then w is replaced 
by w.b" (mod p), then the algorithm is continued for the following value 
having an index ii. 

• • at the end of the algorithm, the value in the variable jj is used to compute an 
integer u by the relation jj = 2 t_u and then the expression t-u is computed. Two 
cases arise: 

• • • if t-u < k, the candidate p is rejected 

• • • if t-u > k, the evaluation of the candidate p is continued in 
continuing the second test and in passing to the following public value G M ,the 
candidate p is accepted as a prime factor congruent to 1 modulo 4 if, at the end 
of the second test, for all the m public values G,, it has not been rejected. 

REMARKS 

The above preliminary amendment is made to remove multiple dependencies from 
claims 3, 4, 5, 6, 9 and 10. 
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A new abstract page is supplied to conform to that appearing on the publication 
page of the WIPO application, but the new Abstract is typed on a separate page as required by 
U.S. practice. 

Applicants respectfully request that the preliminary amendment described herein 
be entered into the record prior to calculation of the filing fee and prior to examination and 
consideration of the above-identified application. 

If a telephone conference would be helpful in resolving any issues concerning this 
communication, please contact Applicants' primary attorney-of record, John J. Gresens (Reg. No. 
33,112), at (612) 371.5265. 



Respectfully submitted, 



MERCHANT & GOULD P.C. 
P.O. Box 2903 

Minneapolis, Minnesota 55402-0903 
(612) 332-5300 



Dated: July 10, 2001 




JJG/tvm 
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MARKED- UP COPY 



3. (Amended) Method according to [any of the claims 1 or 2] claim 1 , such that the 
security parameter k is a small integer, especially smaller than 100. 

4. (Amended) Method according to [one of the claims 1 to 3] claim 1, such that the size of 
the modulus n is greater than several hundreds of bits. 

5. (Amended) Method according to [one of the claims 1 to 4] claim 1 , such that the f prime 
factors pi„ p 2 „ . . . Pf have a size close to the size of the modulus n divided by the number f of 
factors. 

6. (Amended) Method according to [one of the claims 1 to 5] claim 1 such that, among the 

f prime factors pi,, P2,, • • • Pf, 

- a number e of prime factors congruent to 1 modulo 4 is chosen, e possibly being zero 
(should e be zero, the modulus n will hereinafter be called a basic modulus, should e > 0, the 
modulus n will hereinafter be called a combined modulus), 

- the f-e other prime factors are chosen to be congruent to 3 modulo 4, f-e being at least 
equal to 2. 

9. (Amended) Method according to [the claims 7 or 8] claim 7 such that, to produce the e 
prime factors congruent to 1 modulo 4, each prime factor candidate p is evaluated, from p f -e to 
p f , in being subjected to the following two successive tests: 

(1) First test 



- the Legendre symbol is computed for each base number g t , from gi to g m , with 
respect to the candidate prime factor p, 

• if the Legendre symbol is equal to -1, the candidate p is rejected, 

• if the Legendre symbol is equal to +1, the evaluation of the candidate p is 
continued in passing to the following base number and then, when the last base 
number has been taken into account, there is a passage to the second test. 

(2) Second test 

- an integer number t is computed such that p-1 is divisible by l\ but not by 2 t+ \ then 

- an integer s is computed such that s = (p-l+2 t )/2 t+1 . 

- the key <s, p) is applied to each public value Gi to obtain a result r 
r= Gi s mod p 

• if r is equal to g» or - &, the second test is continued in passing to the 
following public value G i+ i. 

• if r is different from & or - &, a factor u is computed in applying the 
following algorithm: 

• • the algorithm consists of the repetition of the following sequence specified 

for an index ii ranging from 1 to t-2: 

• • the algorithm implements two variables: w initialized by r and jj = 2" 
assuming values ranging from 2 to 2 t_2 , as well a number b obtained by application of 
the key ((p-l)/2\ p) to a non-quadratic residue of CG(p), then the following steps 1 
and 2 are iterated: 

• • • Step 1 : w 2 /Gi (mod p) is computed, 

• • • Step 2: the result is raised to the power of 2 t ~ 11 " 1 . 



.... If +1 is obtained, the second test is continued in passing to 

the following public value Gj+i, 

.... If _1 is obtained, jj = 2 U is computed and then w is replaced 
by w.b" (mod p), then the algorithm is continued for the following value 
having an index ii. 

• • at the end of the algorithm, the value in the variable jj is used to compute an 
integer u by the relation jj = 2 t_u and then the expression t-u is computed. Two 
cases arise: 

• • • if t-u < k, the candidate p is rejected 

• * • if t-u > k, the evaluation of the candidate p is continued in 
continuing the second test and in passing to the following public value G i+ i,the 
candidate p is accepted as a prime factor congruent to 1 modulo 4 if, at the end 
of the second test, for all the m public values G i? it has not been rejected. 

10. (Amended) Protocol applying the method according to [any of the claims 1 to 9] 
claim 1 , said protocol being designed to prove the following to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of m pairs of private values Qi ? Q 2 , ... Q m and public values G u G 2 , ... G m , or 
parameters derived from these values; 

said modulus and said values being linked by relations of the following type: 
Q . Qi v = 1 . mod n or Gi - Qi V mod n . 



said public value G; being the square g\ of the base number gj smaller than the f prime factors 

Pb P2> Pf> 

said protocol implementing, in the following steps, an entity called a witness having f prime 
factors pi and/or parameters of the Chinese remainders of the prime factors and/or of the public 
modulus n and/or the m private values Qi and/or f.m components Q h j (Qi, j = Qi mod pj) of the 
private values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of integers modulo n; each commitment 
being computed: 

• either by performing operations of the type: 
R = r v mod n 

where r is a random factor such that 0 < r < n ? 

• or 

• • by performing operations of the type: 
Rs = ri v mod pi 

where r { is a random value associated with the prime number pi such that 0 < r, < p i? each r { 
belonging to a collection of random factors {n , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d ? each challenge d comprising m integers d* 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, 
computing a response D, 

• either by performing operations of the type: 
D^r.Qj dl .Q 2 d2 ....Qm dm modn 

• or 



• • by performing operations of the type: 

D i = r i .Q u dl .Q i) 2 d2 ....Q i , m dm mod pi 

• • and then by applying the Chinese remainder method. 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D}. 
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Method, system and device for proving the authenticity of an ent ity 
and/or the integrity and/or the authenticity of a message using specific 



The present invention relates to the technical field of methods, 
systems and devices designed to prove the authenticity of an entity and/or 
the integrity and/or authenticity of a message. 

The patent EP 0 311 470 Bl, whose inventors are Louis Guillou and 
Jean-Jacques Quisquater, describes such a method. Hereinafter, reference 
shall be made to their work by the terms "GQ patent" or "GQ method". 
Hereinafter, the expression "GQ2", or "GQ2 invention" or "GQ2 
technology" shall be used to describe the new developments of the GQ 
technology that are the object of pending applications filed on the same 
day as the present application by France Telecom, TDF and the firm 
Mathrizk, and having Louis Guillou and Jean- Jacques Quisquater as their 
inventors. The characteristic features of these pending applications are 
recalled whenever necessary in the following description. 

According to the GQ method, an entity known as a "trusted 
authority" assigns an identity to each entity called a "witness" and 
computes its RSA signature. In a customizing process, the trusted 
authority gives the witness an identity and signature. Thereafter, the 
witness declares the following: "Here is my identity; I knew the RSA 
signature thereof". The witness, without revealing the fact, proves that he 
knows the RSA signature of his identity. Through the RSA public 
identification key distributed by the trusted authority, an entity known as 
a "controller" ascertains, without obtaining knowledge thereof, that the 
RSA signature corresponds to the declared identity. The mechanism using 
the GQ method takes place "without transfer of knowledge". According to 
the GQ method, the witness does not know the RSA private key with 
which the trusted authority signs a large number of identities. 




prime factors 



The GQ technology described here above makes use of RSA 
technology. However, while the RSA technology truly depends on the 
factorization of the modulus n, this dependence is not an equivalence, 
indeed far from it, as can be seen in the so-called multiplicative attacks 
against various standards of digital signatures implementing the RSA 
technology. 

The goal of the GQ2 technology is twofold: firstly to improve the 
performance characteristics of RSA technology and secondly to avert the 
problems inherent in RSA technology. Knowledge of the GQ2 private key 
is equivalent to knowledge of the factorization of the modulus n. Any 
attack on the triplets GQ2 leads to the factorization of the modulus n: this 
time there is equivalence. With the GQ2 technology, the work load is 
reduced for the signing or self-authenticating entity and for the controlling 
entity. Through a better use of the problem of factorizing in terms of both 
security and performance, the GQ2 technology averts the drawbacks of 
RSA technology. 

The GQ method implements modulo computations of numbers 
comprising 512 bits or more. These computations relate to numbers having 
substantially the same size raised to powers of the order of 2 i6 + 1. Now, 
existing microelectronic infrastructures, especially in the field of bank 
cards, make use of monolithic self-programmable microprocessors without 
arithmetical coprocessors. The work load related to multiple arithmetical 
applications involved in methods such as the GQ method leads to 
computation times which, in certain cases, prove to be disadvantageous for 
consumers using bank cards to pay for their purchases. It may be recalled 
here that, in seeking to increase the security of payment cards, the banking 
authorities have raised a problem that is particularly difficult to resolve. 
Indeed, two apparently contradictory questions have to be resolved: on 
the one hand, increasing safety by using increasingly lengthy and distinct 



keys for each card while, on the other hand, preventing the work load from 
leading to excessive computation times for the user. This problem becomes 
especially acute inasmuch as it is also necessary to take account of the 
existing infrastructure and the existing microprocessor components. 

The GQ2 technology provides a solution to this problem while 
boosting security. 

The GQ2 technology implements prime factors having special 
properties. There are various existing techniques for producing these 
prime factors. An object of the present invention is a method for the 
systematic production of such prime factors. It also relates to the 
application that can be made of these factors especially in the 
implementation of the GQ2 technology. It must be emphasized right now 
that these special prime factors and the method used to obtain them can be 
applied beyond the field of GQ2 technology. 

The invention can be applied to a method (GQ2 method) designed to 
prove the following to a controller entity: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity. 

This proof is established by means of all or part of the following 
parameters or derivatives thereof: 

- a public modulus n constituted by the product of f prime factors p 1? 
P2? ••• Pf (f being equal to or greater than 2), 

- a public exponent v; 

- m distinct integer base numbers g 19 g 2 , ... g m (m being greater than 
or equal to 1). 

The base numbers & are such that the two equations (1) and (2): 
x 2 = g { mod n and x 2 = - ^mod n 
cannot be resolved in x in a ring of integers modulo n, 
and such that the equation (3): 



x v == g. 2 mod n 

can be resolved in x in the ring of integers modulo n. 

The method according to the invention is used to produce the f prime 
factors p v p 2> , ... p f . in such a way that the equations (1), (2) and (3) are 
satisfied. The method according to the invention comprises the step of 
choosing firstly: 

• the m base numbers g v g 2> , . . . g m , 

• the size of the modulus n, 

• the size of the f prime factors p v p 2) , . . . p f . 

The method relates to the case where the public exponent v has the 

form: 

v = 2 k 

where k is a security parameter greater than 1. The security parameter k is 
also chosen as a prime number. This special value of the exponent v is one 
of the essential features of GQ2 technology. 

Preferably, the m base numbers g 1? , g 2> , ... g m , are chosen at least 
partially among the first integers. Preferably again, the security parameter k 
is a small integer, especially below 100. Advantageously, the size of the 
modulus n is greater than several hundreds of bits. Advantageously again, 
the f prime factors p v p 2) , . . . p f have a size close to the size of the modulus 
n divided by the number f of factors. 

According to a major characteristic of the method according to the 
invention, the f prime factors p v p 2> , ... p f are not chosen in any unspecified 
way. Among the f prime factors p 1? , p 2> , . . . p f , a certain number of them: e 
will be chosen to be congruent to 1 modulo 4. This number e of prime 
factors may be zero. Should e be zero, the modulus n will hereinafter be 
called a basic modulus. Should e > 0, the modulus n will hereinafter be 
called a combined modulus. The f-e other prime factors are chosen to be 
congruent to 3 modulo 4. This number f-e of prime factors is at least equal 
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to 2. 

Choice of f-e prime factors congruent to 3 modulo 4 

To produce the f-e prime factors p v p v . . . p f . e congruent to 3 modulo 
4, the following steps are implemented: 
5 - the first prime factor p 2 congruent to 3 modulo 4 is chosen and then, 

- the second prime factor p 2 is chosen such that p 2 is complementary 
to Pi with respect to the base number g v 

To choose the factor p i+1 , the following procedure is used in 
distinguishing two cases: 
io (1) the case where i> m 

Should i> m, the factor p i+1 congruent to 3 modulo 4 is chosen. 

(2) Case where i<m 

Should i<m, the Profile (Profile^)) of g, with respect to i first prime 
factors Pi is computed: 
15 • if the ProfileiCgj) is flat, the factor p i+1 is chosen such that p i+1 is 

complementary to p t with respect to g i9 

• else, among the i-1 base numbers g 1? g 2 , ... g M and all their 
multiplicative combinations, the number, hereinafter called g is chosen such 
that Profile^) = Profile^), and then p i+1 is chosen such that 
20 ProfiIe i+1 ( gi ) * Proffie i+1 (g). 

The terms "complementary", "profile", "flat profile" have the 
meanings defined in the description. 

To choose the last prime factor p f . e ,the following procedure is used in 
distinguishing three cases: 
25 (1) Case where f-e-1 > m 

Should f-e-1 > m, p f . e is chosen congruent to 3 modulo 4. 

(2) Case where f-e-1 = m 

Should f-e-1 = m, Profile f . e . 1 (g m ) is computed with respect to f-e-1 
first prime factors from p 2 to p f . e-l5 



• if Profile f . e _ 1 (g m ) is flat, p f . e-1 is chosen such that it is complementary 
to Pi with respect to g m , 

• else, the procedure stipulated here below is followed: 

Among the m-1 base numbers from g t to g m _ x and all their 
multiplicative combinations, the number hereinafter called g is chosen such 
that Profile^g) = Profile^gi) and then p f _ e is chosen such that Profile^ 
e (g) * Profile f . e (g m ). 

(3) Case where f-e-1 < m 

If f-e-1 < m, then p f _ e is chosen such that the following two conditions 
are met: 

(3.1) First condition 

Profile f . e . 1 (g f . e . 1 ) is computed with respect to the f-e-1 first prime 
factors from p t to p f . e . 1) Two cases are then to be considered. Depending 
on either of these two cases, the first condition will be different. 

If Profile f . e . 1 (g f . e . 1 ) is flat, p f . e is chosen so that it meets the first 
condition of being complementary to p t with respect to g f . e _ x (first 
condition according to the first case). Else, among the f-e-1 base numbers 
from g x to g m-1 and all their multiplicative combinations, the number, 
hereinafter called g, is chosen such that Profile^g) = Profile f . e . 1 (g f . e . 1 ) and 
then p f _ e is chosen so that it meets the condition of being such that 
Profile f . e (g) * Profile f . e (g m ), (first condition according to the second 
case). 

(3.2) Second condition 

Among all the last base numbers from g f . e to g m , those numbers 
whose Profile Profile^ (gj) is flat are chosen and then p f . e is chosen so 
that it meets the condition of being complementary to p t with respect to 
each of the base numbers thus selected (second condition). 

Choice of e prime factors congruent to 1 modulo 4 

To produce the e prime factors congruent to 1 modulo 4, each prime 



factor candidate p is evaluated, from p f _ e to p f , in being subjected to the 
following two successive tests: 

(1) First test 

The Legendre symbol is computed for each base number g lf from g t to 
g m , with respect to the candidate prime factor p, 

• if the Legendre symbol is equal to -1, the candidate p is rejected, 

• if the Legendre symbol is equal to +1, the evaluation of the 
candidate p is continued in passing to the following base number and then, 
when the last base number has been taken into account, there is a passage 
to the second test. 

(2) Second test 

An integer number t is computed such that p-1 is divisible by 2\ but 
not by 2 t+1 , then an integer s is computed such that s = (p-l+2 t )/2 t+1 . 
The key <s, p> is applied to each public value Gjto obtain a result r 

r= G { s mod p 

If r is equal to g; or - g b the second test is continued in passing to the 
following public value G i+1 . 

If r is different from gj or - g i? a factor u is computed in applying the 
following algorithm specified for an index ii ranging from 1 to t-2. The 
algorithm implements two variables: w initialized by r and jj = 2 U assuming 
values ranging from 2 to 2 t 2 , as well a number b obtained by application of 
the key {(p-l)^ 1 , p> to a non-quadratic residue of CG(p). The algorithm 
consists in repeating the following sequence as many times as is necessary: 

• Step 1 : wVGj (mod p) is computed, 

• Step 2: the result is raised to the power of 2 t-iM , Two cases are to be 
considered. 

First case 

If +1 is obtained, there is a passage to the following public value G i+1 
and the second test is performed for this public value. 
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Second case 

If — 1 is obtained, jj = 2 11 is computed and then w is replaced by w.b^ 
(mod p). Then, the algorithm is continued for the following value having 
an index ii. 

At the end of the algorithm, the value in the variable jj is used to 
compute an integer u by the relation jj = 2 t u and then the expression t-u is 
computed. Two cases arise: 

• if t-u < k, the candidate p is rejected 

* if t-u > k, the evaluation of the candidate p is continued in passing 
to the following public value G i+1 and then in continuing the second test. 

The candidate p is accepted as a prime factor congruent to 1 modulo 
4 if, at the end of the second test, for all the m public values G i9 it has not 
been rejected. 

Application to the public and private values of GQ2 

The present invention also relates to a method (GQ2 method) 
applying the method that has just been described and making it possible, it 
may be recalled, to produce f prime factors p v p 2 , . . . p f having special 
properties; The method for the application of the method that has just 
been described is designed to prove the following to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

This proof is established by means of all or part of the following 
parameters or derivatives of these parameters: 

- m pairs of private values Q v Q 2 , ... Q m and public values G 19 G 2? ... 
G m (m being greater than or equal to 1), 

- the public modulus n constituted by the product of said prime factors f p 19 
p 2 , ... p f (f being greater than or equal to 2), 

- the public exponent v. 

Said modulus, said exponent and said values are linked by relations 
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of the following type: 

G t . Qi v = 1 . mod n or = Q f v mod n . 

Said exponent v is such that 

v = 2 k 

where k is a security parameter greater than 1. 

Said public value Gj is the square g 2 of the base number gj smaller 
than the f prime factors p 1? p 2 , ... p f . The base number g { is such that the 
two equations: 

x 2 = gj mod n and x 2 = -g i mod n 

cannot be resolved in x in the ring of integers modulo n and such that the 
equation: 

x v = g. 2 mod n 

can be resolved in x in the ring of the integers modulo n. 

Said method implements an entity called a witness in the following 
steps. Said witness entity has f prime factors ft and/or parameters of the 
Chinese remainders of the prime factors and/or of the public modulus n 
and/or the m private values Q { and/or f.m components Q u (Q Uj = Q. mod 
Pj) of the private values Q { and of the public exponent v. 

The witness computes commitments R in the ring of integers modulo 
n. Each commitment is computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random factor such that 0 < r < n, 

• or by performing operations of the type: 

Rj = mod p. 

where i^is a random value associated with the prime number p { such that 0 
< r { < p i9 each r s belonging to a collection of random factors {r x , r 2 , ... r f }, 
then by applying the Chinese remainder method. 

The witness receives one or more challenges d. Each challenge d 
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comprises m integers dj hereinafter called elementary challenges. The 
witness, on the basis of each challenge d, computes a response D, 

• either by performing operations of the type: 

D^r.Q, dl .Q 2 d3 ....Q m dm modn 

• or by performing operations of the type: 

D S = r, . Q w dl . Q-2 * ... Q.^ - mod Pi 
and then by applying the Chinese remainder method. 

The method is such that there are as many responses D as there are 
challenges d as there are commitments R, each group of numbers R, d, D 
forming a triplet referenced {R, d, D}. 

Preferably, in order to implement the pairs of private values Q v Q 2 , ... 
Q m and public values G„ G 2 , ... G m as just described, the method uses the 
prime factors p 1? p 2 , ... p f and/or the parameters of the Chinese remainders, 
the base numbers g lf g 2 , ... g m and/or the public values G lt G 2 , ... G m to 
compute: 

- either the private values Q 15 Q 2 , ... Q m by extracting a k-fh square root 
modulo n of G i5 or by taking the inverse of a k-th square root modulo n of 
Gi, 

- or the f.m private components Q u of the private values Q„ Q 2 , ... 
Q m such that Q i} j = Q { (mod pp. 

More particularly, to compute the fjn private components Q u of the 
private values Q v Q 2 , ... Q m : 

- the key (s, Pj > is applied to compute z such that: 

z = Gi S (modpj) 

- and the values t and u are used. 

The values t and u are computed as indicated here above when Pj is 
congruent to 1 modulo 4. The values t and u are taken to be respectively 
equal to 1 (t=l) and 0 (u=0) where pj is congruent to 3 modulo 4. 

If the value u is zero, we consider all the numbers zz such that: 
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• • • zz is equal to z or such that 

• • • zz is equal to a product (mod pp of z by each of the 
2 11 " 1 2"-th primitive roots of unity, ii ranging from 1 to min(k,t). 

If u is positive, we can consider all the numbers zz such that zz is 
equal to the product (mod pj) of za by each of the 2 k 2 k -th roots of unity, za 
designating the value of the variable w at the end of the algorithm 
described here above. 

At least one value of the component Q u . is deduced therefrom. It is equal to 
zz when the equation Gj = Q^mod n is used or else it is equal to the inverse of zz 
modulo pj of zz when the equation Gj . = 1 . mod n is used. 
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Description 

The goal of GQ technology may be recalled: it is the dynamic 
authentication of entities and associated messages as well as the digital 
signature of messages. 

The standard version of GQ technology makes use of RSA 
technology. However, although the RSA technology truly depends on 
factorizing, this dependence is not an equivalence, far from it, as can be 
shown from attacks, known as multiplicative attacks, against various digital 
signature standards implementing RSA technology. 

In the context of GQ2 technology, the present part of the invention 
relates more specifically to the production of sets of GQ2 keys designed to 
provide for dynamic authentication and digital signature. The GQ2 
technology does not use RSA technology. The goal is a twofold one: 
firstly to improve performance with respect to RSA technology and 
secondly to prevent problems inherent in RSA technology. The GQ2 
private key is the factorization of the modulus n. Any attack on the GQ2 
triplets amounts to the factorizing of the modulus n: this time there is 
equivalence. With the GQ2 technology, the work load is reduced both for 
the entity that signs or is authenticated and for the one that controls. 
Through an improved use of the problem of factorization, in terms of both 
security and performance, the GQ2 technology rivals the RSA technology. 

The GQ2 technology uses one or more small integers greater than 1, 
for example m small integers (m > 1) called base numbers and referenced g t . 
Then, a public verification key (v, n) is chosen as follows. The public 
verification exponent v is 2 k where k is a small integer greater than 1 
(k > 2). The public modulus n is the product of at least two prime factors 
greater than the base numbers, for example / prime factors (f > 2) 
referenced by p p from p x ...p f . The /prime factors are chosen so that the 
public modulus n has the following properties with respect to each of the 
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m base numbers from g l to g m . 

- Firstly, the equations (1) and (2) cannot be resolved in x in the ring of 
the integers modulo n, that is to say that g { and-g ; are two non- 
quadratic residues (mod ri). 

x 2 = gi (mod ri) (i) 
x 2 = ~gi (mod ri) (2) 

- Secondly, the equation (3) can be resolved in x in the ring of the 
integers modulo n. 

x 2 = g 2 (mod ri) (3) 

Hereinafter, these properties are also called the GQ2 principles. 

Since the public verification key (v, ri) is fixed according to the base 
numbers from g 1 to g m with m > 1, each base number g ( . determines a pair of 
values GQ2 comprising a public value G, and a private value Q t : giving m 
pairs referenced G x Q 1 to G m Q m . The public value G t is the square of the 
base number g;. giving G t = gf. The private value Q t is one of the solutions 
to the equation (3) or else the inverse (mod ri) of such a solution. 

Just as the modulus n is broken down into / prime factors, the ring of 

the integers modulo n are broken down into /Galois fields, from CGip^ to 

CG(pj). Here are the projections of the equations (1), (2) and (3) in CG(p y ). 
x 2 = gi (mod pj) 

x 2 =~gi (mod Pj ) (2-a) 
x 2 " =gf (mod pj) (3a) 

Each private value Q t can be represented uniquely by / private 
components, one per prime factor: Q u = Q i (mod pj). Each private 
component Q :J is a solution to the equation (3.a) or else the inverse (mod 
Pj) of such a solution. After all the possible solutions to each equation (3 .a) 
have been computed, the Chinese remainder technique sets up all the 
possible values for each private value Q t on the basis of / components of 
Qa t0 Qi/ Qi = Chinese remainders (Q }1 , Q i2 , ...Q^) so as to obtain all the 
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possible solutions to the equation (3). 

The following is the Chinese remainder technique: let there be two 
positive integers that are mutually prime numbers a and b such that 
0 < a < Z>, and two components X a from 0 to a-1 and X b from 0 to b-l . It is 
required to determine X = Chinese remainders (X a , X b \ namely the single 
number X of 0 to a.b-1 such that X a = X (mod a) and X b = X (mod b). The 
following is the Chinese remainder parameter: a= {b (mod a)}~ x (mod a). 
The following is the Chinese remainder operation: e = X b (mod a); 8 = 
X-e; if 8 is negative, replace S by<5+a; y s a . 8 (mod a); X = y. b + X b . 

When the prime factors are arranged in increasing order, from the 
smallest p x to the greater p fi the Chinese remainder parameters can be the 
following (there are /-l, namely at least one of the prime factors). The first 
Chinese remainder parameter is a= {p 2 (mod p x )}~ 1 (mod The second 
Chinese remainder parameter is (3 = {p v p 2 (mod p 3 )}~ 1 (mod p 3 ). The i-th 

Chinese remainder parameter is X = {p v p 2 p ijL (mod p t )}- 1 (mod p t ). And 

so on and so forth. Finally, in f-1 Chinese remainder operations, a first 
result (mod p 2 times p^ is obtained with the first parameter and then a 
second result (mod p v p 2 times p 3 ) with the second parameter and so on and 
so forth until a result (mod p v ... p f l time p f ), namely (mod n). 

The object of the invention is a method for the random production of 
any set of GQ2 keys among all the sets possible, namely: 

the random production of any moduli among all the GQ2 moduli 
possible, namely the moduli ensuring that, for each of the m base 
numbers the equations (1) and (2) cannot be resolved in x in the ring 
of integers modulo n while the equation (3) has one of them, 
computing all the possible solutions to each of the equations (3. a). The 
Chinese remainder technique enables the obtaining of a private value 
Qi from each set of / components from Q i X to so as to obtain any 
solution in x for the equation (3) among all ht possible equations. 
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Q t = Chinese remainders (Q i X , Q. 2 , . . . Q if ) 
To grasp the problem, and then understand the solution to be given 
to the problem, namely the invention, we shall first of all analyze the 
applicability of the principles of GQ2 technology. Let us start by recalling 
the notion of rank in a Galois field CG(p) in order to study the functions 
"raised to the square in CG(p)" and "take a square root of a quadratic 
residue in CG(p)". Then, we shall analyse the existence and number of 
solutions in x in CG(p) to the equations (La), (2.a) and (3.a). 
Rank of the elements in CG(p) 

Let us take a odd prime number p and a positive prime number a 
smaller than p. Let us thereafter define {X}. 

{X }={*i = a; puis, pour />1, x M = a.x t (mod p) } 

Let us calculate the term for the index i+p and let us use Fermat's theorem: 
x i+p = a p jc t = ax t = x /+1 (mod p) 

Consequently, the period of the sequence {X} is p-l or a divider of 
p-L This period depends on the value of a. By definition, this period is 
called "the rank of a (mod /?)". It is the index of appearance of unity in the 
sequence {X}. 

XranKa,p)=l (mod p) 

For example, when (p-l)/2 is an odd prime number p\ the Galois field 
CGQ?) comprises a single element with a rank 1: it is 1, a single element 
with rank 2. It is -1, p-l elements of a rank p\ p'-l elements of the rank 
2.p\ namely of the rank p-l. 

The elements of CG(p) whose rank is p-l are called the primitive 
elements or again the generators of CG(p). The name is due to the fact that 
their successive powers in CG(p), namely the terms of the {X} sequence for 
the indices going from 1 to p-l, form a permutation of all the non-zero 
elements of CG(p). 

According to a primitive element y of CG(p), let us evaluate the rank 
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of the element / (modp) as a function of i and p-L When i is a prime 
number with p-1, it is p-l. When i divides it is In all cases, it 

is(p-l)/pgcd(p-l,0. 

The Euler function is referenced by cp. By definition, since n is a 
positive integer, (p(n) is the number of positive integers smaller than n that 
are prime numbers with n. In the field CG(p), there are therefore cp(p-l) 
primitive elements. 

By way of an illustration, here is the base of the RSA technology. 
The public modulus n is the product of /prime factors from p x to p f with / > 
2, such that for each prime factor p p the public exponent v is a prime 
number with p r l. The key <v, p) complies with the rank of the elements of 
CG^): it permutates them. The inverse permutation is obtained with a 
key (sj, p) such that p r l divides v.s r l. 

Squares and square roots in CG(p) 

The elements x and p-x have the same square in CG(p). The key (2, 
p) do not permutate the elements of CG(p) because p-1 is an even value. 
For each prime number p, let us define an integer t as follows: p-l is 
divisible by 2\ but not by 2 t+ \ namely p is congruent to 2'+l (mod 2' +1 ). 
For example t = 1 when p is congruent to 3 (mod 4); t = 2 when p is 
congruent to 5 (mod 8); t = 3 when p is congruent to 9 (mod 16); t = 4 
when p is congruent to 17 (mod 32); and so on and so forth. Each odd 
prime number is seen in one and only one category: p is seen in the t-th 
category. In practice, if we consider a fairly large number of successive 
prime numbers, about one in every two is found in the first category, one in 
four in the second, one in eight in the third, one in sixteen in the fourth, 
and so on and so forth. In short, one in 2 t on an average is found in the 
t-ih category. 

Let us consider the behavior of the function "raise to the square in 
CG(p) M according to the parity of the rank of the argument. 
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There is only one fixed element: it is 1. The square of any other 
element of an odd-parity rank is another element having the same rank . 
Consequently, the key <2, p) permutates all its (p-l)/!* odd-parity rank 
elements. The number of permutation cycles depends on the 
factorization of (p-l)/2'. For example, when (p-l)!! 1 is a prime number 
p\ there is a big permutation cycle comprising p'-l elements. 
The square of any even-parity rank element is another element whose 
rank is divided by two. Consequently, the even-parity ranking 
elements are distributed over (p-l)/2' branches. Each non-zero 
element with an odd-parity rank bears a branch with a length t 
comprising 2-1 elements, namely: an element of a rank divisible by 
two but not by four and then, if t > 2, two elements of a rank divisible 
by four but not by eight, and then if t > 3, four elements of a rank 
divisible by eight but not by sixteen, and then if t > 4, eight elements of 
a rank divisible by sixteen but not by 32 and so on and so forth. The 
2 M ends of each branch are non-quadratic residues; their rank is 
divisible by 2'. 

Figures 1A to ID illustrate the function "raise to the square in CGQ?)" 
by an oriented graph where each of the p-l non-zero elements of the field 
finds its place: the non-quadratic residues are in white and the quadratic 
residues are in black; among the quadratic residues, the odd-parity ranking 
elements are in circles. 

These figures show respectively; 

Figure 1A: the case where p is congruent to 3 (mod 4); 
Figure IB: the case where p is congruent to 5 (mod 8); 
Figure 1C: the case where p is congruent to 9 (mod 16); 
Figure ID: the case where p is congruent to 17 (mod 32). 
Let us now look at the way to calculate a solution in x to the 
equation x 2 s a (mod p% it being known that a is a quadratic residue of 
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CG(p), namely how "to take a square root in CG(p)". There are of course 
several ways of obtaining the same result: the reader can advantageously 
consult Henri Cohen, "A Course in Computational Algebraic Number 
Theory", published, Springer, Berlin, 1993, pp. 31-36 as well as "Graduate 
Texts in Mathematics" , vol. 138 (GTM 138). 

Let us calculate an integer s = (p-l+2')/2' +1 to establish a key (s, p). 
Let: <(p+l)/4,/?> when p is congruent to 3 (mod 4), <(p+3)/8, p) when p is 
congruent to 5 (mod 8), <Q?+7)/16, p) when p is congruent to 9 (mod 16), 
((p+15)/32, p) when p is congruent to 17 (mod 32), and so and so forth. 
- The key (s, p) gives the odd-parity ranking square root of any odd- 
parity ranking element. Indeed, in CG(p), rVa is equal to a raised to the 
power (2.(p-l+2')/2 t+1 )-l = (p-l)/2*. Consequently, when a is in a 
cycle, the key (s, p) converts a into a solution that we shall call w. The 
other solution is p-w. 

In general, the key (s, p) converts any quadratic residue a into a first 
approximation of a solution which shall be called r. The following are 
two key points followed by a rough sketch of a method for the step- 
by-step improvement of the approximation up to a square root of a. 

Firstly, since a is a quadratic residue, the key <2 M , p) certainly 

converts r^Ia into 1. 

Secondly, it may be assumed that we know a non-quadratic 
residue of CG(p) that we name y; the key ((p-l)/2\ p) converts y 
into an element that shall be called b: this is a root 2' _1 -th of-1. 
Indeed, y^ 12 s -1 (mod p\ Consequently, in CGfc), the 
multiplicative group of the 2' 2-th roots of unity is isomorphic to 
the multiplicative group of the powers of b for the exponents from 
1 to 2'. 

To approach a square root of a, let us raise r^Ia to the power of 2'~ 2 
(mod p): the result is +1 or -1. The new approximation remains r if 
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the result is +1 or else it becomes b.r (mod p) if the result is— 1. 
Consequently, the key (2 ? ~ 2 , p) certainly converts the new 
approximation into 1. It is possible to continue to approach the 
required value: at the next step, an adjustment will be made if 
necessary by multiplying by b 2 (mod p) and so on and so forth. 
The following algorithm makes successive approximations to reach a 
square root of a from the integers r and b defined here above; it uses two 
integer variables: w initialized by r to represent the successive 
approximations and jj assuming values among the powers of 2, from 2 to 

For i ranging from 1 to r-2, repeat the following sequence: 
- Compute w 2 la (mod p\ then raise the result to the power 2'" M (mod p): 
+1 or -1 should be obtained. When -1 is obtained, compute jj = 2\ then 
replace w by (mod p). When +1 is obtained, do nothing. 

At the end of the computation, w and p-w are two square roots of a 
in CG(p). Furthermore, we learn that the rank of a in CG(p) is divisible by 
2Yj[/ but not by 2 /+1 //)\ The relevance of this observation will be seen 
further below. 

Analysis of the principles of GQ2 technology in CG(p) 

Let us take two integers g and k greater than 1 and a prime number p 
greater than g. Let us analyze the existence and number of solutions in x 
in CG(p) in the equations (La), (2.a) and (3.a). 

In the Galois field CG(p), let us distinguish different cases depending 
on the value of t, namely, according to the power of two which divides 
p-1. It may be recalled that p-l is divisible by 2\ but not by 2 t+ \ namely 
that p is congruent to 2'+l (mod 2' +1 ). The previous analysis gives us a 
fairly precise idea of the problem raised as well as a rough solution. 

When t = 1, p is congruent to 3 (mod 4). The Legendre symbols of g 
and-g with respect to p are different: any quadratic residue of CG(p) has 
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two square roots in CG(p): one is a quadratic residue and the other is a 
non-quadratic residue. Firstly, one of the two equations (La) or (2.a) has 
two solutions in x in CG(p) and the other does not have any. Secondly, 
the equation (3.a) has two solutions in x in CG(p) whatever the value of L 

When t = 2, p is congruent to 5 (mod 8). Two cases occur, 
depending on the Legendre symbol of g with respect to p. When the 
symbol is equal to -1, g and-g are both non-quadratic residues of CG(p): 
the three equations (La), (2.a) and (3.a) have no solution in x in CG(p). 
When the symbol is equal to +1, g and-g are two quadratic residues of 
CG(p\ each equation (La) and (2.a) has two solutions in x in CG(p). 
Furthermore, the rank of g 2 in CG(p) is an odd-parity value implying that 
whatever the value of k, the equation (3. a) has four solutions in x in CG(p) 
of which only one has an odd-parity rank. 

Figure 2 illustrates the solutions to the equation (3. a) with k = 6 and 
p congruent to 5 (mod 8), giving t = 2. It may be noted that, because the 
Legendre symbol of 2 with respect to p congruent to 5 (mod 8) is equal to 
-l.l^ 1 * 4 (mod p) is then a square root of-L We therefore have: 
p = 5 (mod 8); consequently (2\p)= - 1 
p s 2 4 (mod p); hence b 2 = -1 (mod p) 

When t = 3, p is congruent to 9 (mod 16). Let us consider the 
Legendre symbol of g with respect to p. When the symbol is equal to -1, g 
and —g are two non-quadratic residues of CG(p): the three equations (La), 
(2.a) and (3. a) have no solution in x in CG(p). When the symbol is equal to 
+1, g and-g are two quadratic residues of CG(p); each equation (La) and 
(2.a) has two solutions in x in CG(p). The existence of solutions in x to the 
equation (3.a) depends on the rank of g 2 in CG(p). This rank is an odd- 
parity value or is divisible by two but not by four. When the rank of g 2 in 
CG(p) is divisible by two but not by four, the equation (3 .a) has four 
solutions in x in CG(p) for k = 2; it cannot go above k > 3. When the rank 
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of g 2 in CG(p) is an odd-parity value, the equation (3.a) has four solutions 
in x in CG(p) for k = 2 and eight for k > 3. In both cases, only one value is 
an odd-parity value. 

When / = 4, p is congruent to 17 (mod 32). Let us consider the 
Legendre symbol of g with respect to p. When the symbol is equal to -1, g 
and -g are two non-quadratic residues of CG(p): the three equations (La), 
(2. a) and (3.a) have no solution in x in CG(p). When the symbol is equal to 
+1, g and-g are two quadratic residues of CG(p); each equation (La) and 
(2.a) has two solutions in x in CG(p). The existence of solutions in x to the 
equation (3. a) depends on the rank of g 2 in CG(p). This rank is an odd- 
parity value or is divisible by two or four but not by eight. When the rank 
of g 2 in CG(p) is divisible by two but not by eight, the equation (3. a) has 
four solutions in x in CG(p) for k = 2; it cannot go above k > 3. When the 
rank of g 2 in CG(p) is divisible by two but not by four, the equation (3. a) 
has four solutions in x in CG(p) for k = 2 or eight for k = 3; it has no 
solutions for k > 4. When the rank of g 2 in CG(p) is an odd-parity value, 
the equation (3.a) has four solutions in x in CG(p) for k = 2 and eight for k 
> 3 and sixteen for k > 4. In all three cases, only one value is an odd-parity 
value. 

And so on and so forth so that the case where p is congruent to 1 
(mod 4) can be summarized as follows. 

When p is congruent to 1 (mod 4), let us consider the Legendre 
symbol of g with respect to p. When the symbol is equal to -1, g and-g 
are two non-quadratic residues of CG(p): the three equations (La), (2.a) 
and (3.a) have no solution in x in CG(p). When the symbol is equal to +1, 
g and-g are two quadratic residues of CG(p); each equation (La) and (2.a) 
has two solutions in x in CG(p). Let us define the integer u: the rank of g 2 
in CG(p) is divisible by 2 M , but not by 2 M+1 . The value of u is among the t-l 
possible values, from 0 to t-2. The existence and the number of solutions 
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in x in CG(p) to the equation (3.a) depend on the values of k, t and u. 
When u is positive and k is greater than t-u, the equation (3.a) does not 
have a solution in x in CG(p). When u is zero and k is greater than /, the 
equation (3.a) has 2 r solutions in x in CG(p). When k is smaller than or 
equal to t-u, the equation (3.a) has 2 k solutions in x in CG(p). 

Applicability of the GQ2 principles in the rings of integers 
modulo 

In order that the equation (1) and (2) respectively may have no 
solution in x in the ring of the integers modulo n, it is necessary and 
sufficient that, for at least one of the prime factors p, from p x to p p the 
equation (l.a) and (2.a) respectively will have no solution in x in CG(p). 

In order that the equation (3) may have solutions in x in the ring of 
the integers modulo n, it is necessary and sufficient that, for each of the 
prime factors p, from p 1 top f> the equation (3. a) should have solutions in x 
in CG(p). 

The equation (3) prohibits any prime factor p congruent with 1 (mod 
4) as soon as, for one of the base numbers g, from g x to g m : either the 
Legendre symbol of g with respect to p is equal to-1; or else the Legendre 
symbol of g with respect to p is equal to +1 with the condition: u positive 
and greater than t-k. In order that a prime factor p congruent to 1 (mod 4) 
may be possible, it is necessary to fulfill one of the following two 
conditions for each of the base numbers g, from g Y to g w , according to the 
two integers t and u defined here above. Either the rank of G = g 2 is an 
odd-parity rank in CG(p), namely u = 0, whatever the value of k. Or else 
the rank of G = g 2 is an even-parity rank value in CG(p), namely u > 0 and 
it meets the condition: u + k<t. 

A product of prime factors congruent to 1 (mod 4) cannot fulfill all 
the principles of GQ2 technology. Each GQ2 modulus must have at least 
two prime factors congruent to 3 (mod 4) such that, for each base number 
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g, the Legendre symbol of g with respect to on of these factors differs from 
the Legendre symbol of g with respect to the other. When all the prime 
factors are congruent to 3 (mod 4), it will be said that the GQ2 modulus is 
basic. When, in addition to at least two prime factors congruent to 3 (mod 
4), the modulus includes one or more prime factors congruent to 1 (mod 4), 
it will be said that the modulus GQ2 is combined. 
Systematic construction of moduli GQ2 

At the outset, it is necessary to fix the total constraints to be dictated 
on the modulus n: a size expressed in bits (for example, 512 or 1024 bits) 
as well as a number of most significant successive bits at 1 (at least one of 
course typically 16 or 32 bits), a number /of prime factors and a number e 
(possibly zero) of prime factors having to be congruent to 1 (mod 4); the 
other prime factors, namely f—e factors, at least two, must be congruent to 3 
(mod 4). The modulus n will be the product of / prime factors of similar 
sizes. When e = 0, a basic modulus GQ2 is obtained; when e>0, a 
combined modulus GQ2 is obtained. A basic modulus is the product of 
prime factors all congruent to 3 (mod 4). A combined modulus G02 
appears therefore as the product of a basic modulus GQ2 multiplied by one 
or more other prime factors congruent to 1 (mod 4). First of all, prime 
factors congruent to 3 (mod 4) are produced. Then, if e > 0, prime factors 
congruent to 1 (mod 4) are produced.. 

For the efficacy of the construction of GQ2 moduli, it is definitely 
better to select each candidate before seeking to find out if it is a prime 
value. 

Referenced by g x g 2 . . . , the base numbers are found typically among 
the first prime numbers: 2, 3, 5, 7, . . . If there are no indications to the 
contrary, the m base numbers are the m first prime numbers: g x = 2, g 2 = 3, 
#3 = 5, g 4 = 7, ... However, the following points must be noted: 2 must be 
avoided if a factor congruent with 5 (mod 8) is anticipated; 3 must be 
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avoided if the public key (3, n) has to be used as the RSA public 
verification key. 

Choice off-e prime factors congruent with 3 (mod 4) 
On the basis of the second factor, the program requests and uses one 
base number per factor. For the choice of the last factor congruent with 3 
(mod 4), the program finds out if there are other base numbers, namely if m 
is equal to or greater than f-e and then, if this is the case, requests and 
takes account of the last base numbers, from g^ to g m . To formalize the 
choice of the prime factors congruent with 3 (mod 4), we have introduced 
a notion of the profile. The profile characterizes an integer g with respect 
to a set of prime factors greater than g and congruent with 3 (mod 4) . 

- When an integer g has the same Legendre symbol with respect to two 
prime factors, it is said that the prime factors are equivalent with respect 
to g. Else, they are complementary with respect to g. 

- Referenced by Profile^), the profile of an integer g with respect to f 
prime factors p x p 2 ... is a sequence of /bits, one bit per prime factor. 
The first bit is equal to 1; each following bit is equal to 1 or 0 depending 
on whether the next factor is equivalent or complementary to p x with 
respect to g. 

- When all the bits of a profile are equal to 1, it is said that the profile is 
flat . In such a case, all the Legendre symbols of g are equal to +1 or else 
to-1. When the profile of g is not flat, the equations (1) and (2) cannot 
be solved in x in the ring of the integers modulo n. 

- By definition, the profile of g with respect to a single prime number 
congruent to 3 (mod 4) is always flat. This extension is used to 
generalize the algorithm of choice of the prime factors congruent to 3 
(mod 4). 

When the profiles of two base numbers g { and g 2 are different, which 
implies at least three prime factors congruent to 3 (mod 4), the knowledge 
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of the two private values Q x and Q 2 induces knowledge of two different 
decompositions of the modulus n. When the base numbers are small prime 
numbers, the program ensures that the profiles of Il^-Y multiplicative 
combinations of/-e-l basic prime numbers are all different: they take all 
the possible values. The notion of profile does not extend to the prime 
factors congruent to 1 (mod 4) . 

First prime factor p x congruent to 3 (mod 4): each candidate must 
be congruent to 3 (mod 4) without any other particular constraint. 

Second prime factor p 2 congruent to 3 (mod 4) with the first base 
number g x being taken into account: each candidate must be 
complementary to p x with respect to g v 

Third prime factor p 3 congruent to 3 (mod 4) with the second base 
number g 2 being taken into account: according to the profile of g 2 with 
respect to two first prime factors p x and p 2 , two cases occur. When 
Profile 2 (g 2 ) is flat, each candidate must be complementary to p x with 
respect to g 2 . Else, we have Profile^) = Profile 2 (g 2 ); each candidate must 
then ensure that Profile 3 (g 1 ) * Profile 3 (g 2 ). 

Choice of i-th prime factor p M congruent to 3 (mod 4) with the 
base number g i being taken into account: according to the profile of g i 
with respect to i first prime factors p l9 p 2 , . . . two cases occur. When 
Profile^) is flat, each candidate must be complementary to p x with respect 
to g ( . Else, among the i-l base numbers g x , g 2 , ... g M and all their 
multiplicative combinations g v g 2 > ••■>£i.<?2* 8i-u namely 2 £ ~ 1 -1 integers in 
all, there is one and only one integer g such that Profile^) = Profile^); 
each candidate must then ensure that Profile^g,) ^ Profile /+1 (g). 

Last prime factor p f ^ congruent to 3 (mod 4) with the base number 
g f __ e _ l and the other base numbers from g f ^ to g m being taken into account: 
the constraints due to the base number gf_^i are taken into account as 
above. Furthermore, when m is equal to or greater than f-e, each 
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candidate must provide for a non-flat profile for the last base numbers, from 
gf-e to 8m* w ith aspect to the f—e prime factors. Each candidate must be 
complementary to p x with respect to all the values of g i for which 
Profile^fe) is flat. 

In short, the prime factors congruent to 3 (mod 4) are chosen as a 
function of one another. 

For i ranging from 0 to f-e-l, to choose the z+l-th prime factor 
congruent to 3 (mod 4), the candidate p M must successfully pass the 
following examination: 

S If i > m or if / = 0, then the candidate p M has no other constraint; it is 

therefore accepted. 
S If 0 < / < m, then the candidate p M must take account of the i-th base 
number g>. The profile Profile^g.) of the base number g i with respect to 
the i first prime factors from p l to p i is computed. Depending on the 
result, one and only one of the two following cases may occur: 

If the profile is flat, then the candidate p M must be complementary 
to p x with respect to g t ; else, it must be rejected. 
Else, among the i-1 base numbers and all their multiplicative 
combinations there is one and only one number that we call g such 
that Profile^) = Profile.^); then the candidate p i+1 must be such 
that Profile /+1 (g) ^ Profile I+1 (^); else, it must be rejected. 
S If /+1 ~f~e and i < n% namely to choose the last prime factor congruent 
to 3 (mod 4) when there remain base numbers, from g f ^ to g m9 which 
have not yet been taken into account, the candidate p f „ e must take them 
into account: among these base numbers, those numbers whose profile 
Profile / _ e _ 1 (g i ) is flat are chosen; the candidate p f-e must be 
complementary to p x with respect to each of the base numbers thus 
selected; else they must be rejected. 

The candidate is accepted because it has successfully undergone the 
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appropriate tests. 

Choice of e prime factors congruent to 1 (mod 4) 

To be acceptable, each candidate p congruent to 1 (mod 4) must fulfill 
the following conditions with respect to each base number from g x to g m . 

- Let us evaluate the Legendre symbol of each base number g { with 
respect to p. If the symbol is equal to -1, let us reject the candidate p 
and go to another candidate. If the symbol is equal to +1, let us 
continue the evaluation of the candidate. It must be noted that if an 
integer 2 is used as the base number, then all the candidates congruent 
to 5 (mod 8) must be removed: the base number 2 is incompatible with 
a factor congruent to 5 (mod 8). 

- Let us calculate an integer s = (p-l+2')/2 ?+1 to establish a key (s,p). 
Let us apply the key (s, p) to each public value G t to obtain a result r. 
Two cases occur. 

- If r equals g t or -g t , then u = 0. In this case, and in this case alone, 
G, is in a cycle. A trivial case may be noted: G, is in a cycle 
provided that p is congruent to 5 (mod 8) and that the Legendre 
symbol of g, with respect to p is equal to +1. It may be recalled 
that G, = 4 is impossible in this case. 

- If r is equal to neither g ; nor then u > 0; it must be noted that 
the key ((p-l)/2\ p) converts every non-quadratic residue y into an 
element b which is a primitive 2'-th root of unity. The following 
algorithm computes u from r and b by using two integer variables: 
w initialized by r and jj taking values of 2 to 2'~ 2 . 

For / going from 1 to t-2, repeat the following sequence: 

- Compute wVG, (mod pj) then raise the result to the power 2'~ M (mod pj): 
we must obtain +1 or -1. When -1 is obtained, compute jj = 2', then 
replace w by w.b> j (mod pj). When +1 is obtained, do nothing. 

At the end of the computation, the variable w has the value g t or -g { . 
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Furthermore, we know that the rank of G, in CG(pj) is divisible by 2'/jj but 
not by 2 t+l /jj, namely that jj determines the value of u by jj = 2' ~". When v 
is greater than jj, namely k > t-u, reject the candidate and go to another 
candidate. When v is smaller than or equal to jj, namely k < t-u, continue 
the evaluation of the candidate. 

When the /prime factors have been produced, the public modulus n 
is the product of the / prime factors p lt p 2 , ... p f The unsigned integer n 
can be represented by a binary sequence; this sequence complies with the 
constraints imposed at the beginning of a program for the size in bits and 
for the number of successive most significant bits at 1. The choice of the 
prime factors provides for the following properties of the modulus n with 
respect to each of the m base numbers g lt g 2 , ... g m . Furthermore, the 
equations (1) and (2) have no solution in x in the ring of the integers 
modulo n. Secondly, the equation (3) has solutions in x in the ring of the 
integers modulo n. 

In short, the prime factors congruent to 1 (mod 4) are chosen 
independently of one another. While the factors congruent to 3 (mod 4) 
gradually take account of the base numbers, each prime factor congruent 
to 1 (mod 4) must take account of all the constraints dictated by each of 
the base numbers. Each prime factor congruent with 1 (mod 4), namely p, 
from p f ^ to p p should have successfully undergone the following 
examination in two steps. 

1) The step (1) is executed successively for each of the m base 
numbers from g 1 to g m . 

The Legendre symbol of the current base number g with respect to 
the candidate p is computed. One and only of the following two cases 
arises: if the symbol is equal to -1, the candidate is rejected. Else (the 
symbol is equal to +1), the examination is continued in passing to the base 
number g following the step (1). 
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When the candidate is acceptable for all the m base numbers, the 
operation passes to the step (2). 

2) The step (2) is executed successively for each of the m public 
values of G t to G m . 

An integer t is computed such that p-l is divisible by 2* but not by 
2 t+ \ then an integer s = (p-l+2y2 t+ \ so as to set up a key (s 9 p). The key 
(s 9 p) is applied to the current public value G = g 2 to obtain a result r, 
namely: r s Cr 5 (mod/?) . Depending on the result, one and only one of 
the following states arises: 

a) If r is equal to g or to-g 9 then u = 0; the examination of the candidate 
is continued in passing to the following public value G at the step (2). 

b) Else, a positive number u is computed taking one of the values from 1 
to t-2 9 in applying the following algorithm which implements two 
variables: jj taking values ranging from 2 to 2 ? ~ 2 and w initialized by 
r, as well as an integer b obtained by applying a key ((p-l)/2\p) to a 
non-quadratic residue of CG(p). 

For an index ii ranging from 1 to t-2 9 the following operation is 
repeated: 

w 2 /G (mod p) is computed and then a key <2 r -" _1 ,/?> is applied to 
the result to obtain +1 or -1 (else, there is proof that the 
candidate is not a prime factor). If -1 is obtained, then jj = 2" is 
computed and then c = bP (mod p\ and then w is replaced by 
w.c (mod p), then there is a passage to the next index ii. If +1 is 
obtained, there is a passage to the next index ii. 
At the end of the algorithm, the value in the variable jj defines u by 
the relationship jj = 2 % ~ u \ the value in the variable w is a square root of 
G, namely g or -g (else, there is proof that the candidate is not a prime 
factor)* Two cases occur: 

■ If t-u < k, then the candidate p is rejected because the branch 
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where G occurs is not long enough. 
■ If (t-u > k), the evaluation of the candidate is continued in going 

to the next public value G following the step (2). 
When the candidate is acceptable for all the m public values, it is 
accepted as a prime factor congruent with 1 (mod 4). 
Computation of the associated values 

To obtain the private components, let us first calculate all the 
solutions to the equation (3.a) in the two simplest and most current cases 
before taking up the general case. 

For each prime factor pj congruent to 3 (mod 4), the key 
<(P/+l)/4, pp gives the quadratic square root of any quadratic residue. From 
this, a method is deduced for computing a solution to the equation (3.a): 

Sj = (0,+l) / 4)* (mod (p r l)/2); then, Q ij = G ( sj (mod pj) 
or else rather the inverse (mod pj) of such a solution. 

Sj = (pj-Da-iipj+l) 1 4)* (mod (p r l)/2) ; then, Q Uj = G? (mod pj) 

In CGipj), there are then two and only two square roots of unity: +1 
and-1; there are therefore two solutions in x to the equation (3.a): the two 
numbers Q u and pyH2y are the same square G, (mod pj). 

For each prime factor pj congruent to 5 (mod 8), the key 
((Pj+l)/4, pj) gives the odd-parity ranking square root of any odd-parity 
ranking element. From this, a solution to the equation (3.a) is deduced: 

Sj s ((p j+ 3) 1 8)* (mod (p r l)/4); then, Q y = G& (mod pj) 
or else rather the inverse (mod pj) of such a solution. 

sj = (pj-iyAr-iipj+Z) 1 8)* (mod (p r l)/4) ; then Q {J = Gf J (mod pj) 
In CG(pj), there are then four and only four fourth roots of unity; there are 
therefore four solutions in x to the equation (3.a). Let us note that l^' 1 ^ 
(mod pj) is a square root of -1 because the Legendre symbol of 2 with 
respect to p congruent to 5 (mod 8) is equal to -1. If Q u is a solution, then 
Pj-Qij is another solution, as well as the product (mod pj) of Q tJ by a square 
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root of -1. 

For a prime factor pj congruent to 2'+l (mod2' +1 ), the key 

{(p r \+T)l2 M , p) gives the odd parity square root of any odd-parity 
ranking element. It is therefore possible to compute a solution to the 
equation (3. a). 

- Let us first of all compute an integer Sj s ((p r l+2*)l2** l ) k (mod (pj-l)/!*) 
to set up a key (s j9 pp. 

- When the key {(p r l+2 t )IT ¥l y p) converts G t into g i or into- the rank 
of G i is an odd-parity value in CG(p y ) (u = 0). Then, the key (s p p ; ) 
converts G t into a number z\ this is the odd-parity ranking solution to 
the equation (3. a). According to the values of / and k, there is still 
min(2*-l, 2-1) other solutions on one or more branches. The branch of 
z 2 carries another solution: this is p r z. When t > 2, the branch of z 4 has 
two other solutions: it is the product of z by each of the two square 
roots of -1, namely each of the two primitive fourth roots of unity. 
Now, if y is a non-quadratic residue of CG(p y ), then y^~ m (mod pj) is a 
square root of -L In general, for i taking each value of 1 to min(£, t\ the 
branch of the 2'-th power of z bears 2 M solutions: these are the 
products (mod pj) of z by each of the T~ x primitive 2'-th roots of unity. 
Now if y is a non-quadratic residue of CG^), then y to the power 
iPf-l)!! 1 is a 2*-th primitive root of unity that we call c. The T~ l to 2'»th 
primitive roots of unity are the odd parity powers of c: c, c 3 (mod p^ c 5 
(mod py), ... c to the power 2'-l (mod pj). 

- When the key ((pj-l+l*)/!** 1 , p) converts G t into an integer r that is 
neither g t nor -g i9 the rank of G t is an even-parity value in CG(p y ) (u > 0). 
Then, provided that G t is appropriately placed in a fairly lengthy branch, 
namely / > k + u, there are 2 k solutions on the branch where G t is 
located. To compute a 2*-th root, it is enough to reiterate the above- 
stated square root computation algorithm k rank times, so as to compute 
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the square root of the successive results up to a solution z. This 
computation may of course be optimized to directly approach a 2*th 
root and then adjust the approximation of a 2*-th root in a single 
operation to achieve a solution z. To obtain all the other solutions, it 
may be noted first of all that if y is a non-quadratic residue of CG(pj), 
then y to the power {p r l)/2 k is a primitive 2*-th root of unity which we 
shall call d. The 2 k 2*-th roots of unity are successive powers of d: d, d 2 
(mod/?,), d 3 (mod pj), ... d to the power of 2*-l (mod pj), d to the power 
2* (mod p.) equal to 1. The 2* solutions on the branch where G is 
located are the products (mod pj) of z for each of these roots. 
In short, to compute a component for the prime factor p and the 

base number with k, t and u being known, the following procedure is 

used: 

1) An integer is computed: s = ((p-l+2y2 t+l ) k (mod (p~l)/2 l ) to set up a 
key (s, p). Then, the key (s 9 p) is applied to G to obtain z = G s (mod p). 
According to the value of u, there is a passage to the step (2) or (3). 

2) If u = 0, z is the odd-parity solution to the equation (3.a). There are still 
min(2*-l, 2-1) other even-parity ranking solutions on one or more 
branches, very precisely on min(£, t) other branches. For i ranging 
from 1 to min(£, r), the branch of the 2 / -th power of z has 2 1 " 1 solutions: 
these are the products (mod p) of z by each of 2 M 2 / -th primitive roots 
of unity. The generic solution to the equation (3. a) is shown by zz. 
The operation goes to the step (4). 

3) If u > 0, all the solutions to the equation (3.a) are even-parity solutions. 
There are 2* of them and they are all in the branch on which G is 
located; indeed: t-u > k. To compute a solution, the following 
algorithm implements two variables: jj assuming values ranging from 2 
to 2'" 2 and w initialized by z, as well as an integer b obtained by 
applying a key <(p-l)/2', p) to a non-quadratic residue of CG(p). 



33 



The following sequence is repeated k ranking times. 
For an index ii ranging from 1 to t-2, the following operation is 
repeated: yp-IG (mod p) is computed and then a key <2 MM ,/?> is 
applied to the result to obtain +1 or -1 (else there is proof that p is 
not a prime number). If -1 is obtained, then jj = 2 U is computed, 
then c s bP (mod /?), then w is replaced by w.c (mod p) 9 then there is 
a passage to the next index ii. If +1 is obtained, there is a passage 
to the next index ii. 
At the end of the algorithm, the variable w has the value za. The 2* 
solutions on the branch where G is located are the products (mod p) of 
za by each of the 2*-th roots of unity. The generic solution to the 
equation (3.a) is represented by zz* The operation passes to the step 
(4). 

4) With zz being known, a component value is deduced therefrom: it is 
the inverse of zz modulo p when the equation G.Q V = 1 (mod n) is used 
and zz when the equation G = Q v (mod n) is used. 
Note. There are various methods to obtain the private components and the 
private values. If a collection of / components is known, namely the / 
components for a given base number, the Chinese remainder technique is 
used to compute the corresponding private value. It can be seen that for a 
given public value G and a modulus n, it is possible to have several 
possible private values Q. There are four of them when n is the product of 
two prime factors congruent to 3 (mod 4); there are eight of them with 
three prime factors congruent to 3 (mod 4); there are sixteen of them with 
two prime factors congruent to 3 (mod 4) and one congruent to 5 (mod 8). 
A judicious use of these multiple values may complicate the attacks by 
analysis of the electrical consumption of a chip card using GQ2. 

Thus, as and when t increases, the program gets complicated for 
increasingly rare cases. Indeed, the prime numbers are distributed on an 
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average as follows: t = 1 for one in two, t = 2 for one in four, t = 3 for one 
in eight and so on and so forth. Furthermore, the constraints due to m base 
numbers make the candidacies increasingly unacceptable. Whatever the 
case may be, the combined moduli definitively form part of GQ2 
technology; the type of GQ2 modulus in no way affects the dynamic 
authentication and digital signature protocols . 

Figure 3 illustrates G t = gf in a cycle with a prime factor p congruent 
to 9 (mod 16), namely / = 3, u = 0, as well as k > 3. It may be noted that: 

b = y s (mod p) 
b* = 1 (mod p) 
b 4 = -1 (mod p) 

Figure 4 illustrates G, = gf on a branch with a prime factor p congruent 
to 65 (mod 128), namely t = 6 as well as k = 4 and u = 2. 

Here is a first set of keys GQ2 with k = 6, giving v = 64, m = 3, giving 
three base: g { = 3, g 2 = 5 et g 3 = 7, and /= 3, namely a modulus with three 
prime factors: two congruent to 3 (mod 4) and one to 5 (mod 8). It must be 
noted that g = 2 is incompatible with a prime factor congruent to 5 (mod 
8). 

p x = 03CD2F4F21E0EAD60266D5CFCEBB6954683493E2E833 

(2 | Pl ) = -1 ; (3 | Pl ) = +1 ; (5 I Pl ) = -1 ; (7 | Pl ) = +1 

p 2 = 0583B097E8D8D777BAB3874F2E76659BB614F985EC1B 

(2 | Pl ) = -1 ; (3 | ft) - -1 ; (5 | ft) = +1 ; (7 I ft) = "1 

p 3 = 0C363CD93D6B3FEC78EE13D7BE9D84354B8FDD6DA1FD 

(2 | ft) = -1 ; (3 | ft) = +1 ; (5 | ft) = +1 ; (7 I Pi) = +1 

n=p x .p 2 .p 3 = FFFF81CEA149DCF2F72EB449C5724742FE2A3630D9 

02CC00EAFEE1B957F3BDC49BE9CBD4D94467B72AF28CFBB26144 

CDF4BBDBA3C97578E29CC9BBEE8FB6DDDD 

g u = 0279C60D216696CD6F7526E23512DAE090CFF879FDDE 

0 2l = 7C977FC38F8413A284E9CE4EDEF4AEF35BF7793B89 
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<2 3 ,i = 6FB3B9C05A03D7CADA9A3425571EF5ECC54D7A7B6F 
<2 1>2 = 0388EC6AA1E87613D832E2B80E5AE8C1DF2E74BFF502 
Q 22 = 04792CE70284D16E9A158C688A7B3FEAF9C40056469E 
Q X2 = FDC4A8E53E185A4BA793E93BEE5C636DA731BDCA4E 
Q U3 = 07BC1AB048A2EAFDAB59BD40CCF2F657AD8A6B573BDE 
Q 23 = 0AE8551E116A3AC089566DFDB3AE003CF174FC4E4877 
e 3 , 3 = 01682D490041913A4EA5B80D16B685E4A6DD88070501 
Q x = D7E1CAF28192CED6549FF457708D50A7481572DD5F2C335D8 
C69E22521B510B64454FB7A19AEC8D06985558E764C6991B05FC2A 
C74D9743435AB4D7CF0FF6557 

Q 2 = CB1ED6B1DD649B89B9638DC33876C98AC7AF689E9D1359E4 
DB17563B9B3DC582D5271949F3DBA5A70C108F561A274405A5CB8 
82288273 ADE67353A5BC316C093 

g 3 = 09AA6F4930E51A70CCDFA77442B10770DD1CD77490E3398A 

AD9DC50249C34312915E55917A1ED4D83AA3D607E3EB5C8B197 
697238537FE7A0195C5E8373EB74D 

The following are other possible values for the components related to the p 3 which is 
congruent to 5 (mod 8). 

The following is a square root of -1 in CG(p 3 ) : c = 2 <p2 ' m (mod p 3 ) = 
0C3000933A854E4CB309213F12CAD59FA7AD775AAC37 
G'i,3 =c.Q 1JS (mod p 3 ) = 

050616671372B87DEC9AEEAC68A3948E9562F714D76C 
6'2,3 = c -22.3 ( mod Pi) = 

06F308B529C9CE88D037D01002E7C838439DACC9F8AA 

Q '3,3 = c • 63,3 ( mod P3) = 

015BE9F4B92F1950A69766069F788E45439497463D58 
Giving: 

Q\ = 676DF1BA369FF306F4A1001602BCE5A008DB82882E87C148D0 
D820A71 1 121961C9376CB45C355945C5F2A9E5AFAAD7861886284A 
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9B319F9E4665211252D74580 

Q' 2 = CAEC4F41752A228CF9B23B16B3921E47C059B9E0C68634C2C 
64D6003156F30EF1BC02ADA25581C8FDE76AA14AB5CC60A2DE1C 
565560B27E8AA0E6F4BCA7FE966 

Q\ = 2ACDF5161FE53B68CC7C18B6AFE495815B46599F44C51A6A1 

A4E858B470E8E5C7D2200EF135239AF0B7230388A6A5BDD8EE15B 

0D094FC2BFA890BFDA669D9735 

The following is a second set of keys GQ2, with k = 9, that is v = 512, m = 2, that is 
two base numbers: g 1 = 2 and g 2 = 3, and/= 3, giving a modulus with three prime 
factors congruent to 3 (mod 4). 

p, = 03852 103E40CD4F06FA7BAA9CC8D5BCE96E3984570CB 

(2 1 Pl ) = -1 ; (3 | p,) = -1 ; and we get: (6 | Pl ) = +1. 

p 2 = 062AC9EC42AA3E688DC2BC871C8315CB939089B61DD7 

(2|p 2 ) = +l ;(3\p 2 ) = -l ;andweget: (6\p 2 ) = -l. 

p 3 = 0BCADEC219F1DFBB8AB5FE808A0FFCB53458284ED8E3 

(2 \p 3 ) = -1 ; (3 \p 3 ) = +1 ; and we get : (6 \p 3 ) = -1. 

n=p l .p 2 .p 3 = FFFF5401ECD9E537F167A80C0A91 1 1986F7A8EBA4D 

6698AD68FF670DE5D9D77DFF00716DC7539F7CBBCF969E73A0C49 

761B276A8E6B6977A21D51669D039F1D7 

Q u = 0260BC7243C22450D566B5C6EF74AA29F2B927AF68E1 

Q 21 = 0326C12FC7991ECDC9BB8D7C1C4501BE1BAE9485300E 

Q 12 = 02DOB4CC95A2DD435DOE22BFBB29C59418306F6CDOOA 

Q 22 = 045ECB881387582E7C556887784D2671CA118E22FCF2 

Q l3 = B0C2B1F808D24F6376E3A534EB555EF54E6AEF5982 

<2 23 = 0AB9F81DF462F58A52D937E6D81F48FFA4A87A9935AB 
Q x = 27F7B9FC82C19ACAE47F3FE9560C3536A7E90F8C3C51E13C 
35F32FD8C6823DF753685DD63555D2146FCDB9B28DA367327DD6 
EDDA092D0CF108D0AB708405DA46 

Q 2 = 230D0B9595E5AD388F1F447A69918905EBFB05910582E5BA64 
9C94B0B2661E49DF3C9B42FEF1F37A7909B1C2DD54113ACF87C6 
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Fl 1F19874DE7DC5D1DF2A9252D 

The present application has described a method for the production of sets of 
GQ2 keys, namely moduli n and pairs of public and private values G and Q 
respectively, in which the exponent v is equal to 2*. These sets of keys are used to 

5 implement a method designed to prove the authenticity of an entity and/or the 

integrity and/or the authenticity of a message as has been described. 
In the pending applications filed on the same day by France Telecom, TDF and the 
firm Math RiZK, and whose inventors are Louis Guillou and Jean-Jacques 
Quisquater, the characteristic features of the methods, systems and devices designed 

10 to prove the authenticity of an entity and/or the integrity and/or the authenticity of a 

message have been claimed. These two applications are incorporated herein by 
reference. 
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CLAIMS 

1. Method enabling the production of the f prime factors p 1? p 2 , ... p f 
of a protocol designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity. 

by means of a public modulus n constituted by the product of f prime 
factors pj, p 29 ... p f , f being equal to or greater than 2 or by means of the f 
prime factors; 

said method comprising the step of producing said f prime factors p 15 p 2 , ... 
p f , in keeping with the following conditions: 

none of the two equations (1) and (2): 

x 2 = & mod n and x 2 = - g. mod n 
can be resolved in x in a ring of integers modulo n, 

• the equation (3): 

x v = g 2 mod n 

can be resolved in x in the ring of integers modulo n. 

§v 8v * * * 8m designating m distinct integer base numbers, m being greater 
than or equal to 1; 

v designating a public exponent with the form 

v = 2 k 

where k is a security parameter greater than 1; 
said method comprising the step of choosing firstly: 

• the security parameter k 

• the m base numbers g v g 2) , . . . g m , 

• the size of the modulus n, 

• the size of the f prime factors p lj5 p 2 , . . . p f . 

2. Method according to claim 1 such that the m base numbers g ls , g 2> , 
• • • g m ? ^ chosen at least partly among the first integers. 
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3. Method according to any of the claims 1 or 2, such that the 
security parameter k is a small integer, especially smaller than 100. 

4. Method according to one of the claims 1 to 3, such that the size of 
the modulus n is greater than several hundreds of bits. 

5. Method according to one of the claims 1 to 4, such that the f prime 
factors p lj? p^, . . . p f have a size close to the size of the modulus n divided 
by the number f of factors.. 

6. Method according to one of the claims 1 to 5 such that, among the 
f prime factors p lf , p 2 , . . . p f , 

- a number e of prime factors congruent to 1 modulo 4 is chosen, e 
possibly being zero (should e be zero, the modulus n will hereinafter be 
called a basic modulus, should e > 0, the modulus n will hereinafter be 
called a combined modulus), 

- the f-e other prime factors are chosen to be congruent to 3 modulo 
4, f-e being at least equal to 2. 

7. A method according to claim 6 such that, to produce the f-e 
prime factors p lj? p v . . . p f _ e congruent to 3 modulo 4, 
the following steps are implemented: 

- the first prime factor p x congruent to 3 modulo 4 is chosen and then, 

- the second prime factor p 2 is chosen such that p 2 is complementary 
to Pj with respect to the base number g v 

- the factor p i+1 is chosen in carrying out the following procedure in 
distinguishing two cases: 

(1) the case where i> m 

- the factor p i+1 congruent to 3 modulo 4 is chosen. 

(2) Case where i<m 

- the Profile (Profile^)) of gj with respect to the i first prime factors 
Pi is computed: 

• if the ProfilejCgi) is flat, the factor p i+1 is chosen such that p i+1 
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is complementary to p x with respect to g i? 

• else, among the i-1 base numbers g v g 2? ... g M and all their 
multiplicative combinations, the number, hereinafter called g, is chosen 
such that Profilej(g) - Profile^), and then p i+1 is chosen such that 
Profile i+1 ( gi ) * Profile i+1 (g). 

(the terms "complementary", "profile", "flat profile" having the 
meanings defined in the description). 

8. A method according to claim 7 such that, to choose the last 
prime factor p f _ e the following procedure is used in distinguishing three 
cases: 

(1) Case where f-e-1 > m 

• p f . e is chosen congruent to 3 modulo 4. 

(2) Case where f-e-1 = m 

• Profile f . e . 1 (g m ) is computed with respect to the f-e-1 first prime 
factors from, p t to p^ 

• • if Profile f . e . 1 (g m ) is flat, p f _ e _ t is chosen such that it is 
complementary to p 2 with respect to g m , 

• • else: 

• • • among the m-1 base numbers from g 2 to g^ and all 
their multiplicative combinations, the number hereinafter called 
g is chosen such that Profile^g) = Profile^), then 

• • • then p f . e is chosen such that Profile f . e (g) * Profile^ 

e(gm)- 

(3) Case where f-e-1 < m 

• p f . e is chosen such that the following two conditions are met: 
(3.1) First condition 

• Profile^.^g^) is computed with respect to the f-e-1 first 
prime factors from p 2 to p f . e . l5 

• • If Profile f _ e . 1 (g f . e . 1 ) is flat, p f . e is chosen so that it meets 
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the first condition of being complementary to p 2 with respect to 

gf-e-l' 

• • Else, 

• • • among the f-e-1 base numbers from g x to g m . 1 
and all their multiplicative combinations, the number, 
hereinafter called g is chosen such that Profile^g) = 
Profile^^g^), then 

• • • then p f _ e is chosen so that it meets the first 
condition of being such that Profile f . e (g) ^ Profile f . e (g m ), 

(3.2) Second condition 

• among all the last base numbers from g f . e to g m? those numbers 
whose Profile ProSle^ig^ is flat are chosen and then 

• p f . e is chosen so that it meets the second condition of being 
complementary to p x with respect to each of the base numbers thus 
selected. 

9. Method according to the claims 7 or 8 such that, to produce 
the e prime factors congruent to 1 modulo 4, each prime factor candidate p 
is evaluated, from p f . e to p f , in being subjected to the following two 
successive tests: 

(1) First test 

- the Legendre symbol is computed for each base number g. 
from g t to g m , with respect to the candidate prime factor p, 

• if the Legendre symbol is equal to -1, the candidate p is 

rejected, 

• if the Legendre symbol is equal to +1, the evaluation of 
the candidate p is continued in passing to the following base 
number and then, when the last base number has been taken 
into account, there is a passage to the second test. 

(2) Second test 
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- an integer number t is computed such that p-1 is divisible by 2\ 
but not by 2 t+l , then 

- an integer s is computed such that s = (jp-l+l*)/! 1 * 1 . 

- the key (s, p) is applied to each public value G { to obtain a 
result r 

r= Gj s modp 

• if r is equal to gj or - gj, the second test is continued in 
passing to the following public value G i+1 . 

• if r is different from gj or - g i? a factor u is computed in 
applying the following algorithm: 

• • the algorithm consists of the repetition of the following 
sequence specified for an index ii ranging from 1 to t-2: 

• • the algorithm implements two variables: w initialized by 
r and jj = 2 a assuming values ranging from 2 to 2 1 " 2 , as well a 
number b obtained by application of the key {(p-l)^ 4 , p) to a 
non-quadratic residue of CG(p), then the following steps 1 and 
2 are iterated: 

• • • Step 1: w 2 /G s (mod p) is computed, 

• • • Step 2: the result is raised to the power of 2 t_ii '\ 

• • • • If +1 is obtained, the second test is 
continued in passing to the following public value 

• • • • If -1 is obtained, jj = 2 11 is computed and 
then w is replaced by w.b 8 (mod p), then the 
algorithm is continued for the following value having 
an index ii. 

• • at the end of the algorithm, the value in the variable jj is 
used to compute an integer u by the relation jj = 2 t u and 
then the expression t-u is computed. Two cases arise: 
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• • ♦ if t-u < k, the candidate p is rejected 

• • • if t-u > k, the evaluation of the candidate p 
is continued in continuing the second test and in passing 
to the following public value G i+1? the candidate p is 
accepted as a prime factor congruent to 1 modulo 4 if, at 
the end of the second test, for all the m public values G i? it 
has not been rejected. 

10. Protocol applying the method according to any of the 
claims 1 to 9, said protocol being designed to prove the following to a 
controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of m pairs of private values Q 1? Q 2 , ... Q m and public values G 19 
G 2 , ... G m , or parameters derived from these values; 

said modulus and said values being linked by relations of the following 
type: 

Gj . Qi v = 1 . mod n or G { = Q, T mod n . 

said public value G f being the square g t 2 of the base number g { smaller than 
the f prime factors p 19 p 2 , ... p f , 

said protocol implementing, in the following steps, an entity called a 
witness having f prime factors p i and/or parameters of the Chinese 
remainders of the prime factors and/or of the public modulus n and/or the m 
private values Q { and/or tm components } (Q u j = Q; mod pj) of the 
private values Q; and of the public exponent v; 

- the witness computes commitments R in the ring of integers modulo 
n; each commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random factor such that 0 < r < n, 
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• or 

• • by performing operations of the type: 

Ri^r^modpj 

where r,is a random value associated with the prime number pj such that 0 
<r i < p., each r, belonging to a collection of random factors {r t , r 2 , ... r f } , 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d 
comprising m integers dj hereinafter called elementary challenges; the 
witness, on the basis of each challenge d, computing a response D, 

• either by performing operations of the type: 

D = r.Q 1 dI .Q 2 d2 ....Q m d m modn 

• or 

• • by performing operations of the type: 

Di^i. Qi,i dl . Q w * . . . Q i>m *■ mod Pi 

• • and then by applying the Chinese remainder method. 

said method being such that there are as many responses D as there are 
challenges d as there are commitments R, each group of numbers R, d, D 
forming a triplet referenced {R, d, D}. 

11. A method according to claim 10 such that to implement the 
pairs of private values Q w Q 2 , ... Q m and public values G v G 2 , ... G m as 
just described, the method uses the prime factors p t , p 2 , ... p f and/or the 
parameters of the Chinese remainders, the base numbers g w g 2 , ... g m and/or 
the public values G ls G 2 , ... G m to compute: 

- either the private values Q 15 Q 2 , ... Q m by extracting a k-th square 
root modulo n of G i5 or by taking the inverse of a k-th square root modulo 
nofG i5 

- or the fjn private components Q; s of the private values Q lf Q 2 , ... 
Q m such that Q u = Q, (mod p^. 

12. A method according to claim 11 such that,to compute the 
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f.m private components Q^of the private values Q v Q 2 , Q m : 

- the key (s, Pj > is applied to compute z such that: 

z s Gj 8 (mod pj) 

- and the values t and u are used. 

- computed as indicated here above when pj is congruent to 1 
modulo 4 and 

• taken to be respectively equal to 1 (t=l) and 0 (u=0) where pj 
is congruent to 3 modulo 4. 

• • if u is zero, we consider all the numbers zz such that: 

• • • zz is equal to z or such that 

• • • zz is equal to a product (mod pp of z by each of 
the 2 li_t 2 h -th primitive roots of unity, ii ranging from 1 to min(k,t). 

• • If u is positive, we consider all the numbers zz such that zz is 
equal to the product (mod pj) of za by each of the 2 k 2 k -th roots of 
unity, za designating the value of the variable w at the end of the 
algorithm implemented in claim 10, 

- at least one value of the component Q i? j is deduced therefrom, 
it is equal to zz when the equation G { = Qj v mod n is used or else it is 
equal to the inverse of zz modulo pj of zz when the equation G* . Qj v 
s 1 . mod n is used. 
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material to patentability as defined in this section- The duty to disclose information exists with respect to each pending claim until the 
claim is canceled or withdrawn from consideration, or the application becomes abandoned. Information material to the patentability of a 
claim that is canceled or withdrawn from consideration need not be submitted if the information is not material to the patentability of any 
claim remaining under consideration in the application. There is no dury to submit information which is not material to the patentability of 
any exis ting claim. Die duly to disclose all information known to be material to patentability is deemed ro be satisfied if all information 
known to be material to patentability of any claim issued in a patent was cited by the Office or submitted to the Office in the manner 
prcscribed by §§ 1 .97(b)-(dj and 1 .98. However, no patent will be granted on an application in connection with which fraud on ihe Office 
was practiced or attempted or rhe duty of disclosure was violated through bad faith or intentional Tmzcondnct. The Office cncoiu^ct 
applicants to carefully examine: 

( 1 } prior art cited in search reports of a foreign patent office m a counterpart application, and 

(2) the closest information over which individuals associated with the filing or prosecution of a patent application 
believe any pending claim patemably detmes, to make sure thai any material informauon contained therein is disclosed to the Office. 

(lb) Under this Section, information is material tn patentability when it ie net cumulative to information already of fccoid ui 
heing r made of record in the application, and 

rf (J) i t establishes, by ftself u* m wiflbinadon with other information, a prima tacie case of unpatentability of a claim; 



or 



Hf { 2 ) It refures, or is inconsistent with, a position the applicant takes m: 

ip (i) Opposing an argument of unpatentability rehed on by the Office, or 

rp (u) Asserting an argument of patentability. 

paLcjUitbUHv. 

(c) Individuals associated with the filing or prosecution of a patent application within the meaning of this section etc: 

(1) Each inventor named in the application: 

(2) Each attorney or agent who prepares or prosecutes the application; and 

(3) Every other person who is substantively involved m the preparation or prosecution of the application md who is 
associated with the inventor, with the assignee or with anyone to whom there is an obligation to assign the application. 

(d) Individuals other than the attorney, agent or inventor may comply with this section by disclosing information to the 
attorney, agent, or inventor 

(c) in any contmuation-in-part application, the duty under this section includes the duty to disclose to the Office all 
information known to L person to be material to paientabibtv. as defined in paragraph <b) of tins section, which became £*taWe between 
S °SS ■ dreof the wior Lphcancai and the national or rCi mternational filing date ol the continuanon-in-pan application 



I hereby appoint the following attorney^) and/or patent agent(e) to prosecute this application and 10 transact all business in the Patent and 
Trademark Office connected herewith: 



AIbrecht» John W. 

All, M. Jeffer 

Altera, Allan G. 

Anderson, Gregg L 

Satzli, Brian H. 

Beard, John L. 

Bems, John M. 

Branch, JohaW. 

Bremer, Dennis C. 

-Brown. Jeffrey C. 
- Bruess, Steven C. 

Byrne, Linda M. 

Campbell, Keith 
. Carlson, Alan G. 

Gaspers, Philip P. 

Clifford, John A. 

Coldren, Richard J 
* Daignault Ronald A. 

Daley, Dennis R. 

Dalglish, Leslie E. 
' Daalton, Julie R. 

DeVries Smith, Ka&erine M. 

DiPQro, Mark J. 

Dosgltch, Matthew A 

Ede jSRobert T. 

Eppi&iyan, Sandra 
Glaricf* Robert J. 
Gog|B\, Matthew J 
Goll^|:harles E. 

Gonfei, Alan G. 

GouHj JohnD. 
Gregson, Richard 
Gicsfps, JoW J. 
Hamgp Samuel A. 
Hairp, Curtis B. 
Harrison, Kevin Q 
Hertilkg, Brett A. 

HillsSf, Randall A. 

Holztf; Jr., Richard J. 
Hope, Leonard J. 
Jardiuc, Jolui S. 
Johnston, Scott W 
Kadievitch, Natalie D. 
Kasebuig, Frederick A. 
Kettelberger, Denise 
Kays, Jemmie J. 
Knearl, Homer L, 
Kowalchyk, Alan W. 
Ku^alchyk, KittherLnc M. 
Lacy, Paul E. 



Reg, No. 40 : 4S i 
Reg. No. 46^359 
REg, No. 40,274 
Reg. No. 28,828 
Reg. No, 32,960 
Reg. No. 27,612 
Reg, No. 43,496 
Reg. No. 41,633 
Reg. No. 40,528 
Reg, No. 41,643 
Reg. No. 34,130 
Reg. No. 32,404 
Reg, No. 46,597 
Reg. No. 25.959 
Reg, No. 33,227 
Reg, No. 30,247 
Reg. No 44,084 
Reg. No. 25,968 
Reg, No. 34,994 
Reg, No, 40,579 
Reg. No. 36,414 
Reg. No. 47,1 57 
Reg, No, 28,707 
Reg No, P4S.957 
Reg. No. 20,187 
Reg, No. 39,667 
Reg. No. 40 ? 620 
Reg. No. 44 J 25 
Reg. No. 26,896 
Reg. No 32,472 
Reg. No. 1$,223 
Reg. No. 41,804 
Reg. Ho. 33,112 
Reg, No. 46,754 
Reg. No, 29d65 
Reg. No. 46J59 
Reg. No. 42,660 
Reg. No. 31, $38 
Reg. No. 42,668 
Reg, No. 44,774 
Reg. No. P-4S,335 
Reg. No, 39,721 
Reg. No. 34,196 
Reg. No. 47,695 
Reg. No. 33,924 
Reg. No. 42,724 
Reg. No. 21,197 
Reg. No. 31,535 
Reg. No, 36,S4S 
Reg. No. 38 : 946 



Larson, James A. 
Leon, Andrew J, 
Leonard, Christopher J. 
Liepa, Mara E, 
Lindquist Timothy A. 
Lows, Jean A. 
Mayfield, Denise L. 
McDonald, Daniel W. 
Mdntyre, Jr., William F. 
Mitchcm, M. Todd 
Mueller, Douglas P. 
Nelson, Anna 
Parsons ) Nancy J. 
Pauly, Daniel M, 
Phillips, John B. 
Pino, Mark J. 
Prendergast, Paul 
Pytel, Melissa J. 
Qualey, Terry 
Reich, John C. 
Reiland,EarlD. 
Roberts, Fred 
Samuels, Lisa A. 
Schmaltz, David G. 
Schuman,MarkD, 
Schumann, Michael D. 
Scull, Timothy B. 
Sebald, Gregory A. 
Skoog, Mark T 
Spellman, Steven J. 
Stoll-DeBcll, Kirstin L- 
SnlHvan, Timothy 
Sumner, John P. 
Swenson, Erik G. 
Teliekson, David JL 
Tiembath, JonR. 
Tunheim, Marcia A 
Underhill, Albert L. 
Vandenburgh, J. Derek 
Wahl, JohnR 
Weaver, Karrie G. 
Welter, Paul A, 
Wbipps, Brian 
Whitaker, JohnE. 
Williams, Douglas J. 
Withers, James D. 
Witt, Jonelle 
Wu,Tong 
Xu, Min S. 
Young, Thomas 
Zeuli, Anthony R< 



Reg. No, 40,443 
Reg. No. 46,869 
Reg. No. 41 440 
Reg. No, 40 a 066 
Reg. No. 40,701 
Reg. No. P48,428 
Reg. No. 33,732 
Reg. No. 32,044 
Reg. No. 44,921 
Reg. No, 40,73 1 
Reg. No. 30,300 
RegNo.P4g ? 935 
Reg. No. 40,364 
Reg. No. 40,123 
Reg. No. 37 7 206 
Reg. No. 43,858 
Reg. No. 46,068 
Reg. No. 41,512 
Reg. No. 25,148 
Reg. No. 37 5 703 
Reg. No, 25,767 
Reg. No. 34,707 
Reg. No. 43 7 080 
Reg. No. 39,828 
Reg. No. 31,197 
Reg. No- 30,422 
Reg, No. 42,137 
Reg. No. 33,280 
Reg. No. 40,178 
Reg. No. 45,124 
Reg. No. 43,164 
Reg. No. 47,981 
Reg. No. 29,114 
Reg. No. 45 ? 147 
Reg. No. 32,314 
Reg. No. 38,344 
Reg, No. 42,189 
Reg. No. 27,403 
Reg. No. 32,179 
Reg. No. 33,044 
Reg. No. 43,245 
Reg. No. 20,890 
Reg. No. 43,261 
Reg. No. 42,222 
Reg. No, 27,054 
Reg, No, 10,376 
Reg. No. 41,980 
Reg. No. 43,361 
Reg. No. 39pJ6 
Reg. No. 25,796 
Reg. No. 45,255 



T here by authorize them ia act and rely on mictions from and communicate directly with die pc«on/assi S acc/atioiii«yGiiu/ oigaui^ii 
who/which fust sends/sent this case to them and by whom/which I hereby declare that I have consented after Ml disclosure to be 
•represented unless ton! I instruct Merchant & Goald P.C to the contrary. 

r understand thai the execution of this document, and the grant of a power of attorney, does not in itself establish an attorney-client 
relarion&hip between the xindersigrted and rta law -firm Merchant & Gould P.C, ox a*y of its attorneys. 
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Please direct ail correspondence in this case to Merchant & Gould P.C. at the address indi cated below: 



Merchant 6c Gouid r\C. 
P.CX Box 2903 
Minneapolis, MN 55402-0903 



I hereby declare that all statements made herein of my own knowledge are fnie and thai all statements made on information and belief an- 
believed ic be true; and further that these statements were made with the knowledge that willfil! false statements and the like so made are 
punishable by fine or imprisonment, or both, under Section 1001 of Title IS of the United States Code and that such willful false siatsme! 
may jeopardize the validity of the application oi any paieni issutd thereon. 




Fli!! Nfldle 
Ol'Inveiuor 



j Faroilv Nanus 

j Guiiicu 



First Given Name 

Lows 



Kcsidcuce 
■& Citizenship 



City 

Bgurgfrarrs 



\ Sfcitc or Foreign Country 
France 



Second Given Name 



Country <rf Citizenship 
France 



Mailing 
Address 



Address 
16, rue dc rise 




City 

Bourgharrc 



State & Zip Code/Country 
35230/ France 



♦Signature of Inventor 201: 



01 

, 0 "rl 



Full Name 
Oflnvenior 



Family Name 

Quisquarcr 



| First Given Name 

j Jean-Jacques 



Second Given Nam« 



Residence i C:iy 
& Citizenship \ Rhode Saim Gcncse 



2 ..^ jj Mailing 
j r li Address 



Address - 
3, avenue des Canards 



Staic Ar Foreign Country 
Belgium 



Country or Citizenship 
j Belgium 



City 

Rhode Saim Genesc 



State & &ip Code/Country 
1640 / Belgium 



ature of Inventor 202: 



77- 



Date: 



